Public bug reported:
Last night unattended-upgrades upgraded the openssl packages
(libssl1.0.0, libssl-dev, openssl) from version 1.0.2g-1ubuntu4.1 to
version 1.0.2g-1ubuntu4.4 on a CI build server. Then everything that
used PHP to connect to a HTTPS site started crashing when verifying the
server cert.
Like this:
```
jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$
DATABASE_DATABASE=wordpressmastere2e catchsegv wp plugin install --force
--activate wp-cfm
Deprecated: Methods with the same name as their class will not be constructors
in a future version of PHP; WP_Import has a deprecated constructor in
/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop
/vagrant/wordpress/wp-content/plugins/wordpress-importer/wordpress-importer.php
on line 38
Notice: Undefined offset: 4 in
phar:///usr/local/bin/wp/php/WP_CLI/DocParser.php on line 124
Segmentation fault (core dumped)
*** Segmentation fault
Register dump:
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 000000000000000c RSI: 000055665071af59 RDI: 0000000000000000
RBP: 0000556650a49e4e R8 : 0000556652364720 R9 : 0000000000000000
R10: 0000000000000000 R11: 00007fdb3c081730 R12: 000055665071af59
R13: 000000000000000c R14: 0000000000000000 R15: 00007fdb39418cf0
RSP: 00007ffc4bad7a08
RIP: 00007fdb3bf77d16 EFLAGS: 00010293
CS: 0033 FS: 0000 GS: 0000
Trap: 0000000e Error: 00000004 OldMask: 00000000 CR2: 00000000
FPUCW: 0000027f FPUSW: 00000000 TAG: 00000000
RIP: 00000000 RDP: 00000000
ST(0) 0000 0000000000000000 ST(1) 0000 0000000000000000
ST(2) 0000 0000000000000000 ST(3) 0000 0000000000000000
ST(4) 0000 0000000000000000 ST(5) 0000 0000000000000000
ST(6) 0000 0000000000000000 ST(7) 0000 0000000000000000
mxcsr: 1fa0
XMM0: 00000000000000000000000000000000 XMM1: 00000000000000000000000000000000
XMM2: 00000000000000000000000000000000 XMM3: 00000000000000000000000000000000
XMM4: 00000000000000000000000000000000 XMM5: 00000000000000000000000000000000
XMM6: 00000000000000000000000000000000 XMM7: 00000000000000000000000000000000
XMM8: 00000000000000000000000000000000 XMM9: 00000000000000000000000000000000
XMM10: 00000000000000000000000000000000 XMM11: 00000000000000000000000000000000
XMM12: 00000000000000000000000000000000 XMM13: 00000000000000000000000000000000
XMM14: 00000000000000000000000000000000 XMM15: 00000000000000000000000000000000
Backtrace:
/lib/x86_64-linux-gnu/libc.so.6(strlen+0x26)[0x7fdb3bf77d16]
php(add_assoc_string_ex+0x32)[0x556650677b12]
php(zif_openssl_x509_parse+0x17c)[0x5566505312ec]
php(dtrace_execute_internal+0x2a)[0x556650664b3a]
php(+0x2e37e0)[0x5566506f97e0]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(+0x2e391d)[0x5566506f991d]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(+0x2e391d)[0x5566506f991d]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(+0x2e391d)[0x5566506f991d]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(+0x2e391d)[0x5566506f991d]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(+0x2e391d)[0x5566506f991d]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(+0x2e391d)[0x5566506f991d]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(+0x2e391d)[0x5566506f991d]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(+0x2e391d)[0x5566506f991d]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(+0x2e391d)[0x5566506f991d]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(zend_call_function+0x749)[0x556650666639]
php(zif_call_user_func+0xb5)[0x5566505b39d5]
php(dtrace_execute_internal+0x2a)[0x556650664b3a]
php(+0x2e37e0)[0x5566506f97e0]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(zend_call_function+0x749)[0x556650666639]
php(zif_call_user_func+0xb5)[0x5566505b39d5]
php(dtrace_execute_internal+0x2a)[0x556650664b3a]
php(+0x2e37e0)[0x5566506f97e0]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(+0x2e391d)[0x5566506f991d]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(+0x2e391d)[0x5566506f991d]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(+0x2e391d)[0x5566506f991d]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(+0x2e391d)[0x5566506f991d]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(+0x2ef65c)[0x55665070565c]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(+0x2efc7c)[0x556650705c7c]
php(execute_ex+0x1b)[0x5566506b4e2b]
php(dtrace_execute_ex+0xb1)[0x5566506649d1]
php(zend_execute+0x1a7)[0x556650708bf7]
php(zend_execute_scripts+0xc3)[0x556650674bd3]
php(php_execute_script+0x2d0)[0x556650615470]
php(+0x2f48b7)[0x55665070a8b7]
php(main+0x474)[0x5566504fa084]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fdb3bf0d830]
php(_start+0x29)[0x5566504fa1c9]
```
Apparently something in libssl now returns a NULL or not-NUL-terminated
C string which the PHP function openssl_x509_parse then passes to
strlen, which crashes.
After downgrading to 1.0.2g-1ubuntu4.2 which luckily is still in the
repos, everything works:
```
jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$
apt-cache policy libssl1.0.0
libssl1.0.0:
Installed: 1.0.2g-1ubuntu4.2
Candidate: 1.0.2g-1ubuntu4.4
Version table:
1.0.2g-1ubuntu4.4 500
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
Packages
*** 1.0.2g-1ubuntu4.2 500
500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
100 /var/lib/dpkg/status
1.0.2g-1ubuntu4 500
500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$
DATABASE_DATABASE=wordpressmastere2e catchsegv wp plugin install --force
--activate wp-cfm
Deprecated: Methods with the same name as their class will not be constructors
in a future version of PHP; WP_Import has a deprecated constructor in
/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress/wp-content/plugins/wordpress-importer/wordpress-importer.php
on line 38
Notice: Undefined offset: 4 in
phar:///usr/local/bin/wp/php/WP_CLI/DocParser.php on line 124
Installing WP-CFM (1.4.5)
Ladataan pakettia lähteestä https://downloads.wordpress.org/plugin/wp-cfm.zip...
Using cached file '/home/jenkins/.wp-cli/cache/plugin/wp-cfm-1.4.5.zip'...
Puretaan pakettia...
Asennetaan lisäosaa...
Poistetaan lisäosan vanhaa versiota...
Lisäosa päivitetty onnistuneesti.
Activating 'wp-cfm'...
Warning: Plugin 'wp-cfm' is already active.
jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$
```
So the issue was introduced between 1.0.2g-1ubuntu4.2 and 1.0.2g-
1ubuntu4.4.
The only patch between them that seems relevant is this:
```
diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch
openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch
--- openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch 1970-01-01
00:00:00.000000000 +0000
+++ openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch 2016-09-22
12:17:31.000000000 +0000
@@ -0,0 +1,66 @@
+From ff553f837172ecb2b5c8eca257ec3c5619a4b299 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <st...@openssl.org>
+Date: Sat, 17 Sep 2016 12:36:58 +0100
+Subject: [PATCH] Fix small OOB reads.
+
+In ssl3_get_client_certificate, ssl3_get_server_certificate and
+ssl3_get_certificate_request check we have enough room
+before reading a length.
+
+Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs.
+
+CVE-2016-6306
+
+Reviewed-by: Richard Levitte <levi...@openssl.org>
+Reviewed-by: Matt Caswell <m...@openssl.org>
+---
+ ssl/s3_clnt.c | 11 +++++++++++
+ ssl/s3_srvr.c | 6 ++++++
+ 2 files changed, 17 insertions(+)
```
I didn't try building a binary with that patch reverted though, as I'm
happy using the 1.0.2g-1ubuntu4.2 version without the security updates
for the time being, given that this build server is not accessible from
untrusted networks.
Of course, this might just as well be due to some insufficient error
handling or otherwise improper libssl usage in php7.0, but the net
effect is that the latest libssl makes the latest php7.0 in the stable
Ubuntu 16.04 LTS version crash.
ProblemType: Crash
DistroRelease: Ubuntu 16.04
Package: php7.0-cli 7.0.8-0ubuntu0.16.04.2
ProcVersionSignature: Ubuntu 4.4.0-36.55-generic 4.4.16
Uname: Linux 4.4.0-36-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CrashCounter: 1
Date: Fri Sep 23 10:30:31 2016
ExecutablePath: /usr/bin/php7.0
ExecutableTimestamp: 1469647957
InstallationDate: Installed on 2016-05-18 (127 days ago)
InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64
(20160420.3)
ProcCmdline: php /usr/local/bin/wp plugin install --force --activate wp-cfm
ProcCwd: /var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress
SegvAnalysis: Skipped: missing required field "Disassembly"
Signal: 11
SourcePackage: php7.0
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:
** Affects: openssl (Ubuntu)
Importance: Medium
Status: New
** Tags: amd64 apport-crash xenial
** Information type changed from Private to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1626883
Title:
libssl 1.0.2g-1ubuntu4.4 causes PHP7 SSL cert validation to segfault
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1626883/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
